View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004752 | OXID eShop (all versions) | 4.04. Security | public | 2012-11-27 12:04 | 2012-11-27 16:59 |
| Reporter | tjungcl | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.6.5 revision 49955 | ||||
| Fixed in Version | 4.6.6 revision 54646 | ||||
| Summary | 0004752: double opt-in link reusable | ||||
| Description | regarding https://bugs.oxid-esales.com/view.php?id=4463 The case is closed, because after the fix, you send a new confirmation email to the new email adress. The link from the first double-opt-in email is reusable for any emailadress, though: the uid=... param is the oxid of the user and independend of the emailadress. So, you can double-opt-in with your own emailadress. Then change the email-adress in the account settings, and click the link from the first double-opt-in email again. if you would use as uid-param a hashcoded string from userid + emailadress, the link would be (re)usable only for this one combination. | ||||
| Tags | No tags attached. | ||||
| Theme | Both | ||||
| Browser | All | ||||
| PHP Version | any | ||||
| Database Version | any | ||||
| duplicate of | 0004753 | resolved | aurimas.gladutis | double opt-in can be fooled completly |
